cyber espionage

Cyber spying started as far back as 1996, when widespread deployment of Internet connectivity to government and corporate systems gained momentum. Since that time, there have been numerous cases of such activities.Pete Warren, [https://www.theguardian.com/technology/2012/aug/30/state-sponsored-cyber-espionage-prevalent State-sponsored cyber espionage projects now prevalent, say experts], The Guardian, August 30, 2012Nicole Perlroth, [http://bits.blogs.nytimes.com/2012/08/13/elusive-finspy-spyware-pops-up-in-10-countries/ Elusive FinSpy Spyware Pops Up in 10 Countries], New York Times, August 13, 2012Kevin G. Coleman, [http://gov.aol.com/2012/07/02/has-stuxnet-duqu-and-flame-ignited-a-cyber-arms-race/ Has Stuxnet, Duqu and Flame Ignited a Cyber Arms Race?] {{Webarchive|url=https://web.archive.org/web/20120708064953/http://gov.aol.com/2012/07/02/has-stuxnet-duqu-and-flame-ignited-a-cyber-arms-race/ |date=2012-07-08 }}, AOL Government, July 2, 2012

Cyber spying typically involves the use of such access to secrets and classified information or control of individual computers or whole networks for a strategic advantage and for psychological, political and physical subversion activities and sabotage.{{cite web|last=Messmer|first=Ellen|title=Cyber Espionage: A Growing Threat to Business|url=http://www.pcworld.com/article/141474/article.html|access-date=Jan 21, 2008|archive-date=January 26, 2021|archive-url=https://web.archive.org/web/20210126055427/https://www.pcworld.com/article/141474/article.html|url-status=dead}} More recently, cyber spying involves analysis of public activity on social networking sites like Facebook and Twitter.{{cite web|url=https://lockergnome.com/2011/11/07/five-ways-the-government-spies-on-you/|title=Five Ways the Government Spies on You|date=7 November 2011|website=The LockerGnome Daily Report|access-date=9 February 2019|archive-date=18 October 2019|archive-url=https://web.archive.org/web/20191018234113/https://lockergnome.com/2011/11/07/five-ways-the-government-spies-on-you/|url-status=dead}}

Such operations, like non-cyber espionage, are typically illegal in the victim country while fully supported by the highest level of government in the aggressor country. The ethical situation likewise depends on one's viewpoint, particularly one's opinion of the governments involved.

Cyber-collection tools have been developed by governments and private interests for nearly every computer and smart-phone operating system. Tools are known to exist for Microsoft, Apple, and Linux computers and iPhone, Android, Blackberry, and Windows phones.Vernon Silver, [https://www.bloomberg.com/news/2012-08-29/spyware-matching-finfisher-can-take-over-iphone-and-blackberry.html Spyware Matching FinFisher Can Take Over IPhones],, Bloomberg, August 29, 2012 Major manufacturers of Commercial off-the-shelf (COTS) cyber collection technology include Gamma Group from the UK{{Cite web |url=http://www.finfisher.com/FinFisher/en/index.php |title=FinFisher IT Intrusion |access-date=2012-07-31 |archive-url=https://wayback.archive-it.org/all/20120731073430/http://www.finfisher.com/FinFisher/en/index.php |archive-date=2012-07-31 |url-status=dead }} and Hacking Team from Italy.{{Cite web |url=http://www.hackingteam.it/index.php/remote-control-system |title=Hacking Team, Remote Control System |access-date=2013-01-21 |archive-url=https://web.archive.org/web/20161215165754/http://www.hackingteam.it/index.php/remote-control-system |archive-date=2016-12-15 |url-status=dead }} Bespoke cyber-collection tool companies, many offering COTS packages of zero-day exploits, include Endgame, Inc. and Netragard of the United States and Vupen from France.Mathew J. Schwartz, [https://www.informationweek.com/security/attacks/weaponized-bugs-time-for-digital-arms-co/240008564 Weaponized Bugs: Time For Digital Arms Control], Information Week, 9 October 2012 State intelligence agencies often have their own teams to develop cyber-collection tools, such as Stuxnet, but require a constant source of zero-day exploits in order to insert their tools into newly targeted systems. Specific technical details of these attack methods often sell for six-figure sums.Ryan Gallagher, [http://www.slate.com/articles/technology/future_tense/2013/01/zero_day_exploits_should_the_hacker_gray_market_be_regulated.html Cyberwar’s Gray Market], Slate, 16 Jan 2013

Common functionality of cyber-collection systems include:

• Data scan: local and network storage are scanned to find and copy files of interest, these are often documents, spreadsheets, design files such as Autocad files and system files such as the passwd file.
• Capture location: GPS, WiFi, network information and other attached sensors are used to determine the location and movement of the infiltrated device
• Bug: the device microphone can be activated in order to record audio. Likewise, audio streams intended for the local speakers can be intercepted at the device level and recorded.
• Hidden private networks: they can bypass the corporate network security. A computer that is being spied upon can be plugged into a legitimate corporate network that is heavily monitored for malware activity and at the same time belongs to a private wifi network outside of the company network that is leaking confidential information off of an employee's computer. A computer like this is easily set up by a double-agent working in the IT department by installing a second Wireless card in a computer and special software to remotely monitor an employee's computer through this second interface card without them being aware of a side-band communication channel pulling information off of his computer.
• Camera: the device cameras can be activated in order to covertly capture images or video.
• Keylogger and Mouse Logger: the malware agent can capture each keystroke, mouse movement and click that the target user makes. Combined with screen grabs, this can be used to obtain passwords that are entered using a virtual on-screen keyboard.
• Screen Grabber: the malware agent can take periodic screen capture images. In addition to showing sensitive information that may not be stored on the machine, such as e-banking balances and encrypted web mail, these can be used in combination with the key and mouse logger data to determine access credentials for other Internet resources.
• Encryption: Collected data is usually encrypted at the time of capture and may be transmitted live or stored for later exfiltration. Likewise, it is common practice for each specific operation to use specific encryption and poly-morphic capabilities of the cyber-collection agent in order to ensure that detection in one location will not compromise others.
• Bypass Encryption: Because the malware agent operates on the target system with all the access and rights of the user account of the target or system administrator, encryption is bypassed. For example, interception of audio using the microphone and audio output devices enables the malware to capture to both sides of an encrypted Skype call.Daniele Milan, [http://www.comm.rtaf.mi.th/Sitedirectory/124/3148/3148_2_6-Daniele-Milan.pdf The Data Encryption Problem] {{Webarchive|url=https://web.archive.org/web/20220408132112/http://www.comm.rtaf.mi.th/Sitedirectory/124/3148/3148_2_6-Daniele-Milan.pdf |date=2022-04-08 }}, Hacking Team
• Exfiltration: Cyber-collection agents usually exfiltrate the captured data in a discrete manner, often waiting for high web traffic and disguising the transmission as secure web browsing. USB flash drives have been used to exfiltrate information from air gap protected systems. Exfiltration systems often involve the use of reverse proxy systems that anonymize the receiver of the data.Robert Lemos, [https://www.infoworld.com/t/malware/flame-stashes-secrets-in-usb-drives-195455 Flame stashes secrets in USB drives] {{Webarchive|url=https://web.archive.org/web/20140315081934/https://www.infoworld.com/t/malware/flame-stashes-secrets-in-usb-drives-195455 |date=2014-03-15 }}, InfoWorld, June 13, 2012
• Replicate: Agents may replicate themselves onto other media or systems, for example an agent may infect files on a writable network share or install themselves onto USB drives in order to infect computers protected by an air gap or otherwise not on the same network.
• Manipulate Files and File Maintenance: Malware can be used to erase traces of itself from log files. It can also download and install modules or updates as well as data files. This function may also be used to place "evidence" on the target system, e.g. to insert child pornography onto the computer of a politician or to manipulate votes on an electronic vote counting machine.
• Combination Rules: Some agents are very complex and are able to combine the above features in order to provide very targeted intelligence collection capabilities. For example, the use of GPS bounding boxes and microphone activity can be used to turn a smart phone into a smart bug that intercepts conversations only within the office of a target.
• Compromised cellphones. Since, modern cellphones are increasingly similar to general purpose computers, these cellphones are vulnerable to the same cyber-collect attacks as computer systems, and can leak extremely sensitive conversational and location information to an attacker.[https://www.youtube.com/watch?v=elgj2ZFMZDE how to spy on a cell phone without having access] Leaking of cellphone GPS location and conversational information to an attacker has been reported in a number of recent cyber stalking cases where the attacker was able to use the victim's GPS location to call nearby businesses and police authorities to make false allegations against the victim depending on his location, this can range from telling the restaurant staff information to tease the victim, or making false witness against the victim. For instance if the victim were parked in a large parking lot the attackers may call and state that they saw drug or violence activity going on with a description of the victim and directions to their GPS location.

There are several common ways to infect or access the target:

• An Injection Proxy is a system that is placed upstream from the target individual or company, usually at the Internet service provider, that injects malware into the targets system. For example, an innocent download made by the user can be injected with the malware executable on the fly so that the target system then is accessible to the government agents.Pascal Gloor, [http://www.swinog.ch/wp-content/uploads/2018/07/02_UnLawful-Intercept-2012-11-07-SwiNOG25.pdf (Un)lawful Interception] {{webarchive|url=https://web.archive.org/web/20160205065155/http://www.swinog.ch/meetings/swinog25/p/02_%28Un%29Lawful%20Intercept%202012-11-07%20SwiNOG25.pdf |date=2016-02-05 }}, SwiNOG #25, 07 November 2012
• Spear Phishing: A carefully crafted e-mail is sent to the target in order to entice them to install the malware via a Trojan document or a drive by attack hosted on a web server compromised or controlled by the malware owner.Mathew J. Schwartz, [https://www.informationweek.com/security/attacks/operation-red-october-attackers-wielded/240146621 Operation Red October Attackers Wielded Spear Phishing], Information Week, January 16, 2013
• Surreptitious Entry may be used to infect a system. In other words, the spies carefully break into the target's residence or office and install the malware on the target's system.FBI Records: The Vault, [http://vault.fbi.gov/Surreptitious%20Entries%20%28Black%20Bag%20Jobs%29%20/ Surreptitious Entries], Federal Bureau of Investigation
• An Upstream monitor or sniffer is a device that can intercept and view the data transmitted by a target system. Usually this device is placed at the Internet service provider. The Carnivore system developed by the U.S. FBI is a famous example of this type of system. Based on the same logic as a telephone intercept, this type of system is of limited use today due to the widespread use of encryption during data transmission.
• A wireless infiltration system can be used in proximity of the target when the target is using wireless technology. This is usually a laptop based system that impersonates a WiFi or 3G base station to capture the target systems and relay requests upstream to the Internet. Once the target systems are on the network, the system then functions as an Injection Proxy or as an Upstream Monitor in order to infiltrate or monitor the target system.
• A USB Key preloaded with the malware infector may be given to or dropped at the target site.

Cyber-collection agents are usually installed by payload delivery software constructed using zero-day attacks and delivered via infected USB drives, e-mail attachments or malicious web sites.Kim Zetter, [http://www.cnn.com/2012/05/29/tech/web/iran-spyware-flame/index.html "Flame" spyware infiltrating Iranian computers], CNN - Wired, May 30, 2012Anne Belle de Bruijn, [http://www.elsevier.nl/Tech/nieuws/2012/7/Cybercriminelen-doen-poging-tot-spionage-bij-DSM-ELSEVIER343610W/ Cybercriminelen doen poging tot spionage bij DSM], Elsevier, July 9, 2012 State sponsored cyber-collections efforts have used official operating system certificates in place of relying on security vulnerabilities. In the Flame operation, Microsoft states that the Microsoft certificate used to impersonate a Windows Update was forged;Mike Lennon, [https://www.securityweek.com/microsoft-unauthorized-certificate-was-used-sign-flame-malware Microsoft Certificate Was Used to Sign "Flame" Malware] {{webarchive|url=https://web.archive.org/web/20130307131239/http://www.securityweek.com/microsoft-unauthorized-certificate-was-used-sign-flame-malware |date=2013-03-07 }}, June 4, 2012 however, some experts believe that it may have been acquired through HUMINT efforts.Paul Wagenseil, [https://www.nbcnews.com/id/wbna47675971 Flame Malware Uses Stolen Microsoft Digital Signature], NBC News, June 4, 2012

• Stuxnet
• Flame
• Duqu
• Bundestrojaner
• Rocra[https://www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation "Red October" Diplomatic Cyber Attacks Investigation], Securelist, January 14, 2013[http://newsroom.kaspersky.eu/fileadmin/user_upload/en/Presskits/090113_Press_Release_Rocra.pdf Kaspersky Lab Identifies Operation Red October] {{Webarchive|url=https://web.archive.org/web/20160304075734/http://newsroom.kaspersky.eu/fileadmin/user_upload/en/Presskits/090113_Press_Release_Rocra.pdf |date=2016-03-04 }}, Kaspersky Lab Press Release, January 14, 2013
• Operation High RollerDave Marcus & Ryan Cherstobitoff, [http://www.mcafee.com/us/resources/reports/rp-operation-high-roller.pdf Dissecting Operation High Roller] {{Webarchive|url=https://web.archive.org/web/20130308024801/http://www.mcafee.com/us/resources/reports/rp-operation-high-roller.pdf |date=2013-03-08 }}, McAfee Labs
• Cozy Bear: a well-resourced, highly dedicated and organized cyber espionage group that F-Secure believes has been working for the Russian Federation since at least 2008.{{cite web|url=https://campaigns.f-secure.com/dukes-timeline/index.html|title=the Dukes, timeline|access-date=2015-10-13|archive-url=https://web.archive.org/web/20151013095556/https://campaigns.f-secure.com/dukes-timeline/index.html|archive-date=2015-10-13|url-status=dead}}{{cite web|url=https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf|title=The Dukes Whitepaper|archive-url=https://web.archive.org/web/20151209123302/https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf|archive-date=2015-12-09|url-status=live}}{{cite web|url=https://press.f-secure.com/?|title=F-Secure Press Room - Global}}

== See also ==

{{div col}}

• Chaos Computer Club
• Chinese intelligence operations in the United States
• Computer security
• Computer surveillance
• Cyber-security regulation
• Cyber spying on universities
• Cyber threat intelligence
• Cyberwarfare
• Employee monitoring software
• GhostNet
• Industrial espionage
• Proactive Cyber Defence
• Stalkerware
• Surveillance
• Titan Rain
• Vulkan files leak

{{div col end}}

{{reflist}}

• {{citation|url=https://www.thestar.com/News/World/article/611481|title=Chinese ridicule U of T spy report - But government officials choose words carefully, never denying country engages in cyber-espionage|author=Bill Schiller, Asia Bureau |periodical=Toronto Star (Canada)|date=Apr 1, 2009|access-date=2009-04-04 |location=Toronto, Ontario, Canada}}
• {{citation|url=https://www.thestar.com/News/World/Article/610860|title=Cyberspies' code a click away - Simple Google search quickly finds link to software for Ghost Rat program used to target governments|periodical=Toronto Star (Canada)|date=Mar 31, 2009|access-date=2009-04-04 | first=Cathal | last=Kelly|location=Toronto, Ontario, Canada}}
• {{citation|url=http://infotech.indiatimes.com/quickiearticleshow/4334292.cms|title=All about Chinese cyber spying|publisher=infotech.indiatimes.com (Times of India)|date=March 30, 2009|access-date=2009-04-01|archive-url=https://web.archive.org/web/20090402072706/http://infotech.indiatimes.com/quickiearticleshow/4334292.cms|archive-date=April 2, 2009|url-status=dead|df=mdy-all}}
• {{citation|url=https://www.thestar.com/news/canada/article/610329|title=We can lead in cyber spy war, sleuth says; Toronto investigator helped expose hacking of embassies, NATO|periodical=Toronto Star (Canada)|date=March 30, 2009|access-date=2009-03-31 | first=Alex | last=Cooper|location=Toronto, Ontario, Canada}}
• {{citation|title=Chinese-based cyber spy network exposes need for better security|url=http://www.cybertalkblog.co.uk/cyber-news-blog/cyber-spy-ring-china-exposed/|access-date=2017-03-06|archive-date=2021-11-09|archive-url=https://web.archive.org/web/20211109215146/https://www.cybertalkblog.co.uk/cyber-news-blog/cyber-spy-ring-china-exposed/|url-status=dead}}
• {{citation|url=http://www.globalsecurity.org/intell/library/news/2009/intell-090330-voa01.htm|title=Exiled Tibetan Government Expresses Concern over Cyber-Spying Traced to China|author=Steve Herman|access-date=2009-03-31|place=New Delhi|publisher=GlobalSecurity.org|date=30 March 2009}}
• {{citation|url=http://www.belfasttelegraph.co.uk/news/world-news/chinese-government-accused-of-cyber-spying-14248347.html|title=Chinese government accused of cyber spying|periodical=Belfast Telegraph|date=30 March 2009}}
• {{citation|url=http://www.timesonline.co.uk/tol/news/uk/crime/article5996253.ece|archive-url=https://web.archive.org/web/20090330033154/http://www.timesonline.co.uk/tol/news/uk/crime/article5996253.ece|url-status=dead|archive-date=March 30, 2009|title='World's biggest cyber spy network' snoops on classified documents in 103 countries|periodical=The Times|location=London|date=March 29, 2009|access-date=2009-03-30 | first=Mike | last=Harvey}}
• {{citation|url=http://news.bbc.co.uk/2/hi/americas/7970471.stm|title=Major cyber spy network uncovered|publisher=BBC News|date=29 March 2009|access-date=2009-03-30}}
• {{citation|url=https://www.ctvnews.ca/cyber-spy-network-smoking-gun-for-china-expert-1.384152|title=SciTech Cyber spy network 'smoking gun' for China: expert|publisher=CTV Canada|date=March 29, 2009|access-date=2009-03-30}}
• {{citation|url=https://nationalpost.com/news/story.html?id=1440426 |title=Canadian researchers uncover vast Chinese cyber spy network |author=Kim Covert |publisher=Canwest News Service |periodical=National Post, Don Mills, Ontario, Canada |date=March 28, 2009 }}{{dead link|date=September 2016|bot=medic}}{{cbignore|bot=medic}}
• {{citation|url=http://news.bbc.co.uk/2/hi/asia-pacific/7740483.stm|title=US warned of China 'cyber-spying'|publisher=BBC News|date=20 November 2008|access-date=2009-04-01}}
• {{citation|url=http://www.newsweek.com/id/138520|title=Intelligence - Cyber-Spying for Dummies|author=Mark Hosenball|periodical=Newsweek|date=June 2, 2008}}
• {{Cite web|last=Walton|first=Gregory|date=April 2008|title=Year of the Gh0st RAT|url=http://www.beijing2008conference.com/articles.php?id=101|publisher=World Association of Newspapers|access-date=2009-04-01|archive-url=https://web.archive.org/web/20090811031100/http://www.beijing2008conference.com/articles.php?id=101|archive-date=2009-08-11|url-status=dead}}
• {{citation|url=http://news.bbc.co.uk/2/hi/europe/7266543.stm|title=German court limits cyber spying|publisher=BBC News|date=27 February 2008}}
• {{citation|url=http://www.theaustralian.news.com.au/story/0,25197,22882854-2703,00.html|title=Chinese fury at cyber spy claims|author=Rowan Callick|author2=Jane Macartney|periodical=The Australian|date=December 7, 2007|access-date=March 31, 2009|archive-url=https://web.archive.org/web/20090813032144/http://www.theaustralian.news.com.au/story/0,25197,22882854-2703,00.html|archive-date=August 13, 2009|url-status=dead|df=mdy-all}}

• [https://web.archive.org/web/20100328165130/http://www.allheadlinenews.com/articles/7017511426?Congress%20to%20Investigate%20Google%20Charges%20Of%20Chinese%20Internet%20Spying Congress to Investigate Google Charges Of Chinese Internet Spying (AHN)]
• [https://web.archive.org/web/20080424011010/http://infowar-monitor.net/index.php Archive of Information Warfare Monitor - Tracking Cyberpower (University of Toronto, Canada/Munk Centre)]

{{Espionage}}

{{Intelligence cycle management}}

{{Portal bar|Internet}}

{{Authority control}}

Category:Cybercrime

Category:Cyberwarfare

Category:Spyware

Category:Types of espionage

Category:Military intelligence collection

Category:Computer security procedures

Category:Hacking (computer security)

Category:Information sensitivity

Category:Mass intelligence-gathering systems

Category:National security

Category:Sabotage

Category:Security engineering

Category:Social engineering (security)

Category:Computing terminology